Outils pour utilisateurs

Outils du site


ctf:public:seccon2016:memory-analysis

Memory Analysis - Writup by toffan

Challenge

Find the website that the fake svchost is accessing.

Solution

We get a RAM dump of a VM forensic_100.raw. First, we find that it is a Windows XP. Then, because of the hint we look for the hosts file, that we found at the address 0x000000000217b748 and in it we found an interesting piece of information.

$ volatility -f forensic_100.raw imageinfo
[...]
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
[...]

$ volatility -f forensic_100.raw filescan | fgrep hosts
0x000000000217b748      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts

$ volatility -f forensic_100.raw dumpfiles -Q 0x000000000217b748 --name -D dump
$ cat dump/file.None.0x819a3008.hosts.dat
[...]
153.127.200.178    crattack.tistory.com

The challenge tells us that there is a problem with the svchost service so this is this process that we are going to analyse. We know that it is accessing a website, maybe the one we have found just before. We find an url.

$ volatility -f forensic_100.raw pslist | grep svchost
[...]
0x81f65da0 svchost.exe            1776    672      2       23      0      0 2016-12-06 05:27:10 UTC+0000

$ volatility -f forensic_100.raw memdump -p 1776 -D dump
$ strings dump/1776.dmp | fgrep crattack.tistory.com
[...]
http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd

Here, there is something strange about all this is that the hosts translation is not the official one. If we try to access crattack.tistory.com/entry/Data-Science-import-pandas-as-pd from a web browser we found a random website but if we access 153.127.200.178/entry/Data-Science-import-pandas-as-pd we are redirected to the root. Finally, with a curl everything is clearer.

$ dig crattack.tistory.com
[...]
;; ANSWER SECTION:
crattack.tistory.com.   3471    IN  A   175.126.170.70
crattack.tistory.com.   3471    IN  A   175.126.170.110
[...]

$ curl 153.127.200.178/entry/Data-Science-import-pandas-as-pd
SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}
ctf/public/seccon2016/memory-analysis.txt · Dernière modification: 2016/12/14 19:20 par lemarcb